When a threat in a computer or telecommunications systems is discovered, response resources must be directed to a physical location of the equipment associated with the threat. In practice, this requires extensive efforts to correlate existing threat information, router traffic information and physical location of the router and impacted/suspect device, dramatically reducing response time. For example, today, most responses to an intrusion require manual review of information such as TCP/IP switch logs, call data records, advanced intelligent network logs, etc., with the subsequent manual drawing of network “maps” and, most importantly, trying to mitigate an intrusion in a sequential or business prioritization order while these efforts are being undertaken. These response schemes do not allow for an organization's management to easily identify the geographical location of the threat(s) and the location(s) at which resources are most needed. Furthermore, current response schemes do not allow an organization's response or management team timely access to geographical view(s) of the location of the threats together with information relating to the status or progress of the response to the threats.
In one instance, a digital or cyber threat may take the form of a direct attack, an introduction of malicious software such as virus and worm, or other intrusion generated by a computing device incorporating or being able to be located by one or more Global Positioning System (“GPS”) receivers. Accordingly, a PDA, a Smartphone, or a laptop with embedded and/or integrated GPS capabilities can be a source of a computer-originated attack, for example, a computer-triggered attack to remotely activate explosives. Likewise, certain wireless devices may be able to be located with some degree of specificity either through embedded GPS receivers or through GPS receivers incorporated into the towers/antennas that such devices access during an uplink. Both, a device having an incorporated GPS receivers and a device able to be located using stationary GPS receivers are referred to herein as a “GPS Device.”
A GPS device may be used to trigger a computer-originated attack in many ways. In one scenario, a GPS device may initiate a computer-originated attack directly, for example, by starting a digital or cyber attack. Alternatively, a GPS device, when vulnerable, may be at the receiving end of a first digital or cyber attack. Once the vulnerable GPS device is compromised, it may then fall under the influence of the first digital or cyber attack and initiate a computer-originated attack.
Fortunately, a GPS device may capture its location information via a protocol such as National Marine Electronics Association (“NMEA”) 0183. The captured location information can then be transmitted via another protocol such as TCP or UDP to an incident response environment. For example, an existing security software vendor, such as Antivirus, may identify a digital or cyber attack, detect that the device is also receiving GPS information, and subsequently transmit the attack information and GPS information back to an incident response environment.
Response resources can be directed to a physical location of a GPS device under attack. In practice, however, this requires extensive efforts to correlate existing threat data or vulnerability data with GPS data collected and subsequently transmitted, thus reducing response time similar to a physical disaster or attack. So, even with the availability of GPS data, most current responses to an intrusion or vulnerability require manual review of TCP/IP switch information, manual drawing of network “maps” and, most importantly, trying to mitigate an intrusion or vulnerability in a sequential order, as described above.
In other instances, the hacking of networks such as those now ubiquitous in billing and financial systems, viruses launched against computer systems, intrusions onto computer hosts and networks, fraudulent activities resulting in the theft of services such as telephone service (wired or wireless), cable television, Internet access, etc. are just a few examples of more technologically-sophisticated crimes that are not easily mapped to a physical location.
Businesses and organizations have also used technology in an attempt to thwart these technologically-advanced crimes. One method is through the detection of anomalies in data associated with business transactions, such as the detection of unauthorized or malicious users on computer hosts and networks, often called intrusion detection and fraud detection systems.
For example, computer applications are created having several layers with each layer including detective, preventive, and corrective controls. At the business transaction layer, the detective controls apply business rules used for supervisory type reports that may be voluminous depending upon the nature of the business and the number of transactions occurring. Though there may exist a geographical correlation between physical, network and computer-related crimes, such correlation may not be apparent from review of numerous discrete reports from various sources and of varying types and formats while simultaneously trying to mitigate the crime and respond to them.
These response schemes do not allow for an organization's management to easily identify the geographical location of the problem(s) and the location(s) at which resources are most needed. Furthermore, current response schemes do not allow an organization's response or management team timely access to geographical view(s) of the location of the crimes together with information relating to the status or progress of the response to the threat.